AI Use Policy Template for BC Businesses | North Star
HomeInsightsAI Automation

An AI Use Policy Template for BC Businesses

AI tools are in your business whether IT approved them or not. Your staff are using ChatGPT, Claude, Gemini, and the AI features built into the tools they already subscribe to, sometimes with your client data, sometimes without realising the risk. A policy doesn't stop people from using AI. It tells them what they can use it for, what data they can share with it, and what requires human oversight. Here is a working template to adapt.

Version: 1.0 | Effective date: [Date] | Owner: [Privacy Officer / Operations Lead]

What we deliver

Section 1: Purpose and Scope

This policy governs the use of artificial intelligence tools by [Business Name] employees, contractors, and any other persons accessing company systems. It applies to:

  • Public AI services, ChatGPT, Claude, Gemini, Perplexity, and similar consumer or enterprise services where you submit content to a third-party system.
  • Embedded AI in existing tools, Microsoft Copilot in M365, AI features in your CRM, Grammarly, and similar tools embedded in software you already use.
  • Custom AI, Any AI system built or commissioned specifically for this business.

All three categories are in scope. Different rules apply to each.

Overview

Section 2: Data Classification

Before using any AI tool, classify the data you intend to input:

ClassDefinitionExamples
PublicInformation we'd publish on our websiteMarketing copy, published pricing, general FAQs
InternalNot public, but not sensitiveMeeting notes about internal projects, draft schedules
ConfidentialClient data, financial data, business IPClient records, contracts, financial statements
RestrictedRegulated personal data, legally privileged informationHealth data, data subject to PIPEDA/PIPA, legal advice

Public AI services (consumer tier) may receive Public data only. Enterprise-tier AI services with a signed DPA may receive Internal and, where vendor controls are verified, Confidential data. Restricted data requires explicit approval from [Privacy Officer] before any AI processing.

Overview

Section 3: Approved Tools

ToolApproved data classesNotes
Microsoft 365 Copilot (M365 Business/Enterprise)Public, Internal, ConfidentialData stays in M365 tenant; DPA in place
[Other enterprise tool]Public, InternalReview DPA before adding Confidential data
ChatGPT (free/personal tier)Public onlyDo not enter client names, financials, or internal project details

Adding a new AI tool: Before using a new AI tool for anything beyond Public data, submit a vendor assessment to [IT Contact]. Do not install browser extensions or integrations that access company systems without IT review.

Overview

Section 4: Human-in-the-Loop Requirements

AI can suggest. Humans approve. The following categories require documented human review before AI output is acted upon or sent externally:

  • Customer-facing communications
  • Financial calculations, quotes, or transactions
  • Hiring decisions or performance assessments
  • Legal positions or contract language
  • Medical or safety-related advice

"Human review" means a qualified person reads the output, verifies it against available information, and takes ownership of the decision. Log the review.

Overview

Section 5: Output Verification

AI tools hallucinate, they generate plausible-sounding but incorrect information with no visible signal that they've done so. Any AI-generated output used in a client deliverable, regulatory submission, or public communication must be verified against a primary source before use.

Do not cite statistics, legal provisions, or technical specifications from AI output without verifying them independently.

Overview

Section 6: Vendor Due Diligence

Before adopting a paid AI tool for Confidential or Internal data, document:

  • Does the vendor train on your data? (Confirm in their DPA, not their marketing page.)
  • Where is data stored and processed? (For Canadian privacy compliance, Canadian or adequately protected storage is preferred.)
  • What is their breach notification commitment?
  • Do they hold SOC 2 Type II or equivalent?
  • What is their data retention period?

Most consumer AI tools fail one or more of these. Most enterprise AI tools pass. Know which you're using.

Overview

Section 7: Training

All staff who use AI tools in their work will complete a 30-minute onboarding session covering this policy, approved tools, and data classification. This session will be repeated annually or when this policy is materially updated.

Overview

Section 8: Violations

Violations of this policy, including sharing Restricted or Confidential data with unapproved AI tools, will be treated as a data handling incident under our Incident Response Policy and may result in disciplinary action.

This template is a starting point. Have your legal adviser review it before publication, especially if your business is subject to PIPEDA, BC PIPA, health privacy legislation, or sector-specific regulations.

Talk to a Prince George-based IT team about implementing AI tools safely, call 672-983-1174 or book a free assessment at northstarit.ca.

Want this in your inbox?

We send a short monthly note with one cybersecurity or IT topic that BC business owners should know about. No sales pitch.

Get the monthly note Read more Insights